G0 5.5+ firmware compiled Binaries/tools & Exploring the Cam

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Compiled Binaries

binutils
gdb
gdbserver 8.3
strace
Busybox 1.20 (fully loaded)

You can gain access to the root by using sec.bin. If you are stuck on Chinese menu's you can roll back using sec.bin and the files from another Chinese hacked cam. (will provide files info at later date)

I do not YET know how to get English language on a 5.5+ Chinese cam.

The binaries have been tested on IPC_G0_CN_STD_5.5.53_180716.
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
Wow! Many thanks for sharing.
The looks like a lot of work - and a steep learning curve being climbed. V. impressive!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
I do not YET know how to get English language on a 5.5+ Chinese cam.
I put ML files on a CN DS-2CD3335 a while back by creating a modified iefile.tar.gz - populating it with the language files from the EN/ML firmware and editing the Languages.json file.
This was from the 5.4.41 G0 firmware, so the strings will likely be different, but it might give some ideas of a possible approach.
 

Attachments

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
If you use hikpack on davinci_bak there is script attached to the head off the davinci file after you uncompress the lzma. Run the script it will give 2 files davinci and ppp
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
I've not looked at that yet - but what you've described is a characteristic of the 'dieter and fiona' hacked firmware.
ppp is the rather smart patcher program that makes transient changes to the runtime environment, and checks a licence file, and integrity checks a few items. If it isn't happy, the environment reverts to a standard CN one.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Leecher;s hik_repackv07 to unpack SOME g0 firmwares (works on IPC_G0_EN_STD_5.5.81_190102)

Will also do PC_G0_EN_STD_5.5.82_190130



Unpacker only, will not repack

It will do davinci , but that's left decrypted on the cam at runtime anyway.

hik_repacker runs on x86 Linux ("hik_repacker "removed upon author's request")

HOWEVER YOU DO NOT ACTUALLY NEED THE HIK_REPACKER - all files are stored on the camera unprotected and with no rsa key

you just need to set up cifs/smb or transfer file from cam to other storage area (so get the cam to do the unpacking)
 
Last edited:

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
5553.jpg Time to upgraded to 5.5.82 ...or try ...

V5.5.82 build 190130
NetProcess Version: 8.11.3 [14:17:38-Dec 11 2018]
Path: /Camera/Platform/Branches/branches_FSP_network_protocol/FSP_network_protocol_for_V5.5.81_E3
Last Changed Rev: 454060
Last Changed Date: 2018-10-25 10:42:24 +0800 (Thu, 25 Oct 2018)

Sec Version: 1.0.1 [20:43:45-Mar 22 2018]
Path: /Camera/Platform/Trunk/FSP_network_security
Last Changed Rev: 371116
Last Changed Date: 2018-03-14 12:52:37 +0800 (Wed, 14 Mar 2018)

Db Encrypt Version: 65537
Db Major Version: 1187
Db svn info:
Path: /Camera/Platform/Branches/branches_frontend_software_platform/IPC_develop_branch/ipc_baseline/baseline_V5.5.81_G0
Last Changed Rev: 496039
Last Changed Date: 2019-01-28 20:42:44 +0800 (Mon, 28 Jan 2019)
hardwareVersion = 0x0
hardWareExtVersion = 0x0
encodeChans = 1
decodeChans = 1
alarmInNums = 1
alarmOutNums = 1
ataCtrlNums = 0
flashChipNums = 0
rms = 0x100
networksNums = 1
language = 2
devType = 0x22507
net reboot count = 0
vi_type = 32
firmwareCode = 00000002000001000000000107a1bc6f000000020000000100000002ffffffff050500520013011e00022507
Path: /Camera/Platform/Branches/branches_frontend_software_platform/IPC_develop_branch/ipc_baseline/baseline_V5.5.81_G0
Last Changed Rev: 496039
Last Changed Date: 2019-01-28 20:42:44 +0800 (Mon, 28 Jan 2019)
ML Firmware unpacked using leachers unpacker than manually put uImage and /dav dir onto cam

Chrome says

<!DOCTYPE html>
<html><head><title>Document Error: Not Found</title></head>
<body><h2>Access Error: 404 -- Not Found</h2>
<p>firmware language mismatch: /dav/webLib</p>
</body>
</html>

You could edit the webLib or the davinci file.
 
Last edited:

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Davinci 5.582 has protection on the decrypted elf file. Some debuggers will alter the segments.

5.5.53 never had this protection(Initrun.sh has size restrictions)

5.5.82 Has PSH enabled in the uImage. disable /delete/rename it in initrun.sh. Use sec.bin to boot to ASH. mount drives/partition and alter initrun.sh.

If you have manually copied files from 5.5.82 EN to a Chinese cam . Then you will be left in a boot loop. Use sec.bin to alter / fix boot loop issues

=========main
=========user_sysinit =====
shared memory address is: 0xb6ad6000, sizeof(DEV_CAPABILITY) = 464336
[07-10 09:06:18][pid:0][HW_IF][ERROR]▒▒▒豸/dev/hikioʧ▒▒
[07-10 09:06:18][pid:0][HW_IF][ERROR]Get Hikio Fd =-1 failed
[07-10 09:06:18][pid:0][HW_IF][ERROR]▒▒▒豸/dev/hikioʧ▒▒
[07-10 09:06:18][pid:0][HW_IF][ERROR]▒▒▒豸/dev/hikioʧ▒▒
[07-10 09:06:18][pid:0][SYSINIT][ERROR]hwif_getsecinfo failed.
[07-10 09:06:18][pid:0][SYSINIT][ERROR]sys app init failed to reboot!
[07-10 09:06:18][pid:0][OTHER][ERROR]daemon can not find Dst process.load_type 0x10012 is_need_ack 1
[07-10 09:06:18][pid:1155][OTHER][ERROR] from daemon ack, dst not work len 0 , load_type is [0x10012]
[07-10 09:06:18][pid:1155][UNI_IF][ERROR]65554:ipc_unix_call_service failed, ret = -3.
[07-10 09:06:18][pid:1155][UNI_IF][ERROR]communicaite_to_davinci failed!!!
[07-10 09:06:19][pid:0][OTHER][ERROR]daemon can not find Dst process.load_type 0x10012 is_need_ack 1
[07-10 09:06:19][pid:1155][OTHER][ERROR] from daemon ack, dst not work len 0 , load_type is [0x10012]
[07-10 09:06:19][pid:1155][UNI_IF][ERROR]65554:ipc_unix_call_service failed, ret = -3.
[07-10 09:06:19][pid:1155][UNI_IF][ERROR]communicaite_to_davinci failed!!!


U-Boot 2010.06-153460 (Oct 10 2015 - 18:21:59)
 
Last edited:

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
You can sometimes mix and match files depending on the SDK used by hikvision. eg old uImage with new a new web gui. OR new web gui with old uImage.

Eg 5.5.82 weblib will run with uImage from 5.5.53. Many things will work fine

the command "busybox telnetd" with give you telnet access (busybox 1.20)
"mount /dev/mmc01 /mnt/mmc01" will mount the mmc01
"mount /dev/nfs00 /mnt/nfs00" will mount the nfs drive (if you have set one up)

/dev/mtdblock5 and 6 is the location of the uImage there are 2 copies one is a backup . if you trash them both you will go into a boot loop (use sec.bin again lol ) Or if you totally trashed it. Do a firmware tftp update.

/dev/mtdblock7 and 8 is the location of "/dav" directories
"try to stay away from the mtdparts , as you may brick your cam with no return…."

5.5.53 CH cam is easy to change to ML (I am unable to supply the details of the davinci code modification as its not mine to give out, if I find a another way of doing it I will release)


5.5.53 /home/process/daemon_fsp_app loaded and decrypted davinci_bak. It decrypted to an lzma then uncompressed. Then it was executed.
Full decrypted davinci was left in the /home/process/ directory. This copy of davinci was modified then run before daemon_fsp_app had a chance to run the original version. There you have a CH cam running ML (well after you copy the webLib dir over to cam from a ML cam)


I have not converted the new 5.5.82 firmware to ML YET!
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
"mount /dev/nfs00 /mnt/nfs00" will mount the nfs drive
Depending on the specific source of the NFS share - normally you'd need a slightly fuller command line for this, unless you're making use of a definition somewhere else.
Plus, the NetHDD configuration in the web GUI does this too, making it permanent.

mount -t nfs -o nolock 192.168.1.201:/sharename /mnt/nfs00

I am unable to supply the details of the davinci code modification as its not mine to give out,
Feel free - it's fine.
Though maybe on request so Hikvision don't know for sure what to obscure on the next firmware rev, which on these cameras isn't EOL yet.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
getting there slowly

Path: /Camera/Platform/Branches/branches_frontend_software_platform/IPC_develop_branch/ipc_baseline/baseline_V5.5.81_G0
Last Changed Rev: 496039
Last Changed Date: 2019-01-28 20:42:44 +0800 (Mon, 28 Jan 2019)
hardwareVersion = 0x0
hardWareExtVersion = 0x0
encodeChans = 1
decodeChans = 1
alarmInNums = 1
alarmOutNums = 1
ataCtrlNums = 0
flashChipNums = 0
rms = 0x100
networksNums = 1
language = 1
devType = 0x22507
net reboot count = 0
vi_type = 32
firmwareCode = 00000002000001000000000107a1bc6f000000010000000100000002ffffffff050500520013011e00022507
 

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
Please wtite step by step how to China version write firmware with English Lang.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
Please wtite step by step how to China version write firmware with English Lang.
Need to check stability. also it is a possibility that a a shell script could be used to just copy needed modifications across or dump mtdpart/dav across from sec bin.

It could end up being a very simple tutorial, if stable.(it may not be stable)

I would prefer if some else released and wrote implementation tutorial,
 
Last edited:

pepeEL

Getting the hang of it
Joined
May 18, 2016
Messages
168
Reaction score
7
Please write me step by step. I need repaire my cam DS-2CD2035-I
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
remember sec.bin is only for certain u-boot's. if you have tftp already in the u-boot you have no need for sec.bin.

You still need to use
setenv bootargs console=ttyAMA0,115200 single loglevel=9
saveenv

Just doing a cam tonight with
U-Boot 2010.06-128034 (May 14 2015 - 19:28:38)

And it already has tftp built in.
 

rearanger

Getting the hang of it
Joined
Feb 10, 2016
Messages
224
Reaction score
96
Location
Scottish Borders
I have noticed on this second upgrade 5.3 > 5.5.82 there are some strange effects. I would recommend using the Restore / Default settings in the Upgrade & Maintenance menu .

i was unable to use this upgrade method via ssh . Even if you could use that method you would need TTL to get out of a boot loop if you triggered one.

The cams i have here all have sdcards so modified firmware has been installed from there.
If your cam does not have sdcard you will need to install from nfs.

It may be possible to flash directly to nand from uboot/sec.bin however i have not tried this.
 
Last edited:
Top